When the HITECH Act was enacted in 2009, it introduced to HIPAA a fun concept called “breach notification.” In effect, that means that when a security “breach” happens — such as a laptop with health records on it being stolen or lost — the affected clients need to be notified as does the federal government. If breach notification is your bag, you can read all about HIPAA’s breach notification rule in our article here.
Laptops and other mobile devices get stolen or lost rather frequently. However, there are great ways to secure these devices so that even if they are stolen, the bad guy can’t reasonably get in. Given that fact, shouldn’t there be some exception to the breach notification rule if the lost computer or smartphone is really well secured?
As you probably guessed, there is such an exception in the breach notification rule. That kind of exception is called a “safe harbor.” This safe harbor applies to more than just computers, of course. And, quite importantly, it only affects breach notification. That’s a pretty big deal, however. If your computer is secured to the safe harbor’s standards, and you lose it or it gets stolen, not having to report that breach to anyone can be a real life saver!
Sounds great! How do I get the safe harbor conditions on my computer or phone?
The safe harbor is attained by making all the health information on the computer or smartphone totally unreadable — and that means encryption.
We can’t just use any encryption, however. Legal safe harbor standards in general are an “A+” level of standard.
Enter “full device encryption.” Accept no substitutes and don’t settle for anything less. This means that every little bit and byte on your computer or phone is encrypted and only your one special encryption password can unlock it all, regardless of what any bad guy does to try to get in.
So how do I get full device encryption on my stuff? How much is this going to cost me??
It could very well be free!
If you have a Mac whose operating system isn’t several years old, you can get full disk encryption simply by going to your security settings and activating FileVault2.
For Windows, there is also an encryption program called Bitlocker. You can’t buy BitLocker separately. It only comes with the Pro version of Windows. In our experience, most therapists need to upgrade their Windows to the Pro version in order to get BitLocker.
On an iPhone, you simply need to set a strong passcode. That’ll do it. On Android phones, you need to turn on encryption in the security settings. And, of course, you need to set a strong passcode. Encryption on smartphones requires a little more thought and preparation than on computers, but it still works well. If you’re not sure about it’s effectiveness, see our article on why FBI vs. Apple was important for health care providers all over the US.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
So you said that cheap or free software is the “good news.” Is there bad news?
The semi-bad news is that setting up full disk encryption is sometimes something you want skilled help with. If you’ve got a good tech helper, ask them to set it up with you. Or you can go to a professional geek or your local Apple store for assistance.
Also, the downside of full disk encryption is that it might be harder to share your computer with others. Remember that unlocking the whole machine will require your password every time you turn on the computer. You can certainly work around this, but it will require planning.
So that’s it? I just install the software and I get the safe harbor?
It’s almost that simple. Of all the techie things you can do to protect your clients’ information, full-disk encryption is probably the easiest and least expensive way to simplify your security efforts. You do still need to behave in ways that support the encryption, though. For example, the encryption is unlocked while you’re using your devices. You need to lock it up again in order to qualify for the safe harbor.
Those details are a little outside the scope of this article. We discuss them a lot in our courses and in our weekly Office Hours, however.
We have a robust Device Security Center (one for solo practitioners and one for group practices) with step-by-step device-specific tutorial videos that walk you through configuring each of the 10 technical security measures necessary for a safe harbor *and* for making a device safe and appropriate to be used to handle client info and access systems (like your EHR or practice email) that contain client info, along with documentation forms so that you can properly document your device security. The PCT Device Security Center was created to make it as easy as possible for therapists to achieve the easiest and most effective security methods they can for their computers and smartphones. Guidance on using full-disk encryption, plus walkthrough videos that explicitly show you how to set it up on your computer, are included in this learning center. Device Security Center access is provided through our Practice Care Premium service.
However you find your way to getting your gear qualified for the safe harbor in HIPAA’s breach notification rule, we strongly encourage you to do it. If all of us start using encryption in this simple and easy way, our clients and our society will be much safer.
Learn more about device security:
This is Step 3: Devices — of the PCT Way for optimizing & fortifying your practice.
Tackle the toughest piece of compliance, with minimal drama. Learn More.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Very useful information.
This is the most user friendly article I have seen. Thank you very much.
Don’t forget: all of your computer backups need to be encrypted too, or your backup system may “leak” data from your encrypted computer into an unencrypted system, such as an external hard disk or cloud backup system. If you use a cloud backup system, you need to ensure that data is encrypted before it leaves your computer and that the encryption keys are not known by the cloud backup provider.
Tom, absolutely. And most of those encryption packages can be used to encrypt your backup disks, as well.
I have some disappointing news around online backup, however: even encrypting your data before backing it up to Internet sources may not cut the mustard anymore, due to the Office of Civil Rights’ recent statements. More about that here: https://dev-personcenteredtech.com/2013/07/online-data-backups-and-hipaa-compliant-practice-a-government-produced-monkey-wrench/
I do agree with Tom that it’s a good way to use online backup, however.
Roy, this is very helpful, thank you. I do have a couple of questions. My Mac version is 10.6.8
It has Fire Vault, but not Fire Vault 2. Is that sufficient?
Second, I’m wondering how to protect my I Pad and I Phone 5?
I love the technology, but it does bring new questions and concerns for sure.
For the full-disk encryption, you’ll need FileVault 2. If your computer can handle it, upgrading to the recent version of MacOS is pretty cheap. You can take your computer to a pro geek or Apple store and they can help you, if you’re not sure how to do it.
I’ll be developing more articles on securing mobile devices, but in the mean time I have some good article links in the Resources page of my Zur Institute course on HIPAA Security: http://zurinstitute.com/hipaasecurity_resources.html#mobile
Good article. My only objection is you spelled “compleat” wrong in the title…
Thanks, Shane. :) But remember that “compleat” is the old-timey spelling of “complete.” It is often pronounced like “calm – play – aught.”
How is Windows 10 for the requirements for the “safe harbor” in HIPPA?
Roy, I have a MacBook Air that I purchased 2 years ago this month. I have the most recent version of Yosemite. What do I do to make FireVault accessible?
Hi Ana Maria,
Because you are a subscriber to our Person-Centered Tech Support service, we have videos you can use to answer that question in step-by-step detail. :) That particular process is demo’d here: https://dev-personcenteredtech.com/vidhelps/how-do-i-get-full-disk-encryption-on-my-device/
For others who wish to subscribe to Person-Centered Tech Support, details are here: https://dev-personcenteredtech.com/person-centered-tech-support/
Windows 10 Pro includes BitLocker, which will meet your needs.
There’s more to the story, though, especially with Windows and BitLocker. Subscribers to our Person-Centered Tech Support service have access to setup demo videos and need-to-knows for using BitLocker here: https://dev-personcenteredtech.com/vidhelps/how-do-i-get-full-disk-encryption-on-my-device/
For those who wish to subscribe to Person-Centered Tech Support, details are here: https://dev-personcenteredtech.com/person-centered-tech-support/
Thank you, Roy,
I have File Vault 2 already on, but do I also need to get a separate email encryption program? I get emails from folks on my Psychology Today and website (Brighter Vision) and while I have a notification that emails are not considered confidential modes of communication and to please limit/use discretion in how much info they share, some may not see that. Plus, I use Square for payments. (I did go ahead and contact them, following your or Rob’s recommendation to become listed as a medical entity rather than professional.) Thank you for making it your mission to help us private practice folks become HIPAA-intelligent and pro-active.
Hi Lisa,
Thanks for your questions and positive feedback! Roy loves helping people with exactly these sorts of considerations; however, he’s not able to personally address and give scenario specific advise to all the inquiries he receives… which is exactly why I would highly recommend Person-Centered Tech Support as it will give you access to Roy’s office hours where he can directly and specifically address your questions in detail, which I think is what’s needed in your situation. For each office hour’s session, you can submit all your questions and then either join the session via live webinar or watch the recording on demand like a podcast. You can learn more and subscribe here: https://dev-personcenteredtech.com/person-centered-tech-support/. Please e-mail me at [email protected] if you have any questions about PCTech Support.
If you do not use EHR on your laptop and don’t keep client-identifying files on the computer can you skip this? Similarly for the iphone, I don’t see what information other than contacts you would have on your iphone unless you use it to email clients, which I do not.
The answer to this is not as simple as it looks! Encryption will highly depend on the outcome of your risk analysis. Since your here, can I ask you where are you at in your annual risk analysis?